I have a source where the Index is updating up to 4 am every day. (Before Daylight Savings shift it was 3 am every day). Splunk is monitoring a folder over the lan of rotating log files. In the past the lag was a couple min, but I can't figure out why it's only updating up to 4 am every day. Splunk does not appear to be under any stress. The header of the log files change under the 246 bytes default limit that splunk monitors. Using the free version and well under the 500 gb a day.
↧